Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 21:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe
-
Size
452KB
-
MD5
faac8709757582d5afad06134b35e5e0
-
SHA1
2fede6686b9d39a03c4a312bc28ade7c0871f212
-
SHA256
fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944
-
SHA512
d405e0a8c7fffe024a6d2d81bec7764f4aeb91452f71dca5696a149ee8eb6aea6397826c220f58246cdb6d0bbbb9b2210d01b525b47084627057a0e1f444f564
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2052-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-60-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2808-79-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-90-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3008-88-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2532-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/680-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-123-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1240-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1452-187-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2860-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-169-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1720-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-312-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-376-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2440-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-402-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2260-409-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/324-415-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-443-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/860-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-484-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1708-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-527-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/968-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-668-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2512-738-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1524-781-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/784-839-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3068-887-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-893-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2580-919-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2820-990-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 772 hhbnhb.exe 2076 642668.exe 3020 44846.exe 2884 04806.exe 2672 22242.exe 2752 tnttbt.exe 2660 0040246.exe 2808 1jjvp.exe 3008 pjjjv.exe 2532 u660482.exe 2968 thbnht.exe 680 00820.exe 2024 xxxlxlx.exe 1988 ffffxxx.exe 1240 8444642.exe 1724 5fllrll.exe 1640 2668026.exe 2860 vdpdp.exe 2136 02440.exe 1452 42046.exe 924 40840.exe 2400 00408.exe 276 062046.exe 1720 0006464.exe 844 08282.exe 908 i008026.exe 2624 84206.exe 2144 hnbbnn.exe 2012 4688004.exe 1232 s6648.exe 2132 3ttnnn.exe 1468 hntbbt.exe 1864 c020282.exe 1516 llxxffl.exe 2964 rrrlxlf.exe 2432 48688.exe 3068 flfxlfx.exe 2732 840844.exe 2680 lxxlxlf.exe 2760 048024.exe 2896 q46622.exe 2852 7rlrrll.exe 2784 64806.exe 2440 vpjvv.exe 2308 02624.exe 3024 ttnthn.exe 2192 4480840.exe 1604 i620044.exe 2260 46884.exe 324 486082.exe 1892 bthbht.exe 1268 0862442.exe 1572 28288.exe 1580 djppd.exe 2988 20484.exe 860 882020.exe 1900 62026.exe 2184 888040.exe 2400 84800.exe 972 hhttbb.exe 1708 fflxlfx.exe 1100 2444684.exe 1524 6226084.exe 448 22800.exe -
resource yara_rule behavioral1/memory/2052-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-99-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2532-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-376-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2440-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-402-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2260-409-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1892-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-668-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1204-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-738-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1524-781-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2188-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-920-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-990-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/1452-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2888828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6224826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0660844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlflf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 772 2052 fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe 30 PID 2052 wrote to memory of 772 2052 fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe 30 PID 2052 wrote to memory of 772 2052 fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe 30 PID 2052 wrote to memory of 772 2052 fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe 30 PID 772 wrote to memory of 2076 772 hhbnhb.exe 31 PID 772 wrote to memory of 2076 772 hhbnhb.exe 31 PID 772 wrote to memory of 2076 772 hhbnhb.exe 31 PID 772 wrote to memory of 2076 772 hhbnhb.exe 31 PID 2076 wrote to memory of 3020 2076 642668.exe 32 PID 2076 wrote to memory of 3020 2076 642668.exe 32 PID 2076 wrote to memory of 3020 2076 642668.exe 32 PID 2076 wrote to memory of 3020 2076 642668.exe 32 PID 3020 wrote to memory of 2884 3020 44846.exe 33 PID 3020 wrote to memory of 2884 3020 44846.exe 33 PID 3020 wrote to memory of 2884 3020 44846.exe 33 PID 3020 wrote to memory of 2884 3020 44846.exe 33 PID 2884 wrote to memory of 2672 2884 04806.exe 34 PID 2884 wrote to memory of 2672 2884 04806.exe 34 PID 2884 wrote to memory of 2672 2884 04806.exe 34 PID 2884 wrote to memory of 2672 2884 04806.exe 34 PID 2672 wrote to memory of 2752 2672 22242.exe 35 PID 2672 wrote to memory of 2752 2672 22242.exe 35 PID 2672 wrote to memory of 2752 2672 22242.exe 35 PID 2672 wrote to memory of 2752 2672 22242.exe 35 PID 2752 wrote to memory of 2660 2752 tnttbt.exe 36 PID 2752 wrote to memory of 2660 2752 tnttbt.exe 36 PID 2752 wrote to memory of 2660 2752 tnttbt.exe 36 PID 2752 wrote to memory of 2660 2752 tnttbt.exe 36 PID 2660 wrote to memory of 2808 2660 0040246.exe 37 PID 2660 wrote to memory of 2808 2660 0040246.exe 37 PID 2660 wrote to memory of 2808 2660 0040246.exe 37 PID 2660 wrote to memory of 2808 2660 0040246.exe 37 PID 2808 wrote to memory of 3008 2808 1jjvp.exe 38 PID 2808 wrote to memory of 3008 2808 1jjvp.exe 38 PID 2808 wrote to memory of 3008 2808 1jjvp.exe 38 PID 2808 wrote to memory of 3008 2808 1jjvp.exe 38 PID 3008 wrote to memory of 2532 3008 pjjjv.exe 39 PID 3008 wrote to memory of 2532 3008 pjjjv.exe 39 PID 3008 wrote to memory of 2532 3008 pjjjv.exe 39 PID 3008 wrote to memory of 2532 3008 pjjjv.exe 39 PID 2532 wrote to memory of 2968 2532 u660482.exe 40 PID 2532 wrote to memory of 2968 2532 u660482.exe 40 PID 2532 wrote to memory of 2968 2532 u660482.exe 40 PID 2532 wrote to memory of 2968 2532 u660482.exe 40 PID 2968 wrote to memory of 680 2968 thbnht.exe 41 PID 2968 wrote to memory of 680 2968 thbnht.exe 41 PID 2968 wrote to memory of 680 2968 thbnht.exe 41 PID 2968 wrote to memory of 680 2968 thbnht.exe 41 PID 680 wrote to memory of 2024 680 00820.exe 42 PID 680 wrote to memory of 2024 680 00820.exe 42 PID 680 wrote to memory of 2024 680 00820.exe 42 PID 680 wrote to memory of 2024 680 00820.exe 42 PID 2024 wrote to memory of 1988 2024 xxxlxlx.exe 43 PID 2024 wrote to memory of 1988 2024 xxxlxlx.exe 43 PID 2024 wrote to memory of 1988 2024 xxxlxlx.exe 43 PID 2024 wrote to memory of 1988 2024 xxxlxlx.exe 43 PID 1988 wrote to memory of 1240 1988 ffffxxx.exe 44 PID 1988 wrote to memory of 1240 1988 ffffxxx.exe 44 PID 1988 wrote to memory of 1240 1988 ffffxxx.exe 44 PID 1988 wrote to memory of 1240 1988 ffffxxx.exe 44 PID 1240 wrote to memory of 1724 1240 8444642.exe 45 PID 1240 wrote to memory of 1724 1240 8444642.exe 45 PID 1240 wrote to memory of 1724 1240 8444642.exe 45 PID 1240 wrote to memory of 1724 1240 8444642.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe"C:\Users\Admin\AppData\Local\Temp\fb12ef0c7ceb8c61cc80243be031f872bc8ecd9f31d9f6ce3ae244684053d944N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\hhbnhb.exec:\hhbnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\642668.exec:\642668.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\44846.exec:\44846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\04806.exec:\04806.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\22242.exec:\22242.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\tnttbt.exec:\tnttbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\0040246.exec:\0040246.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\1jjvp.exec:\1jjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\pjjjv.exec:\pjjjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\u660482.exec:\u660482.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\thbnht.exec:\thbnht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\00820.exec:\00820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\xxxlxlx.exec:\xxxlxlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\ffffxxx.exec:\ffffxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\8444642.exec:\8444642.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\5fllrll.exec:\5fllrll.exe17⤵
- Executes dropped EXE
PID:1724 -
\??\c:\2668026.exec:\2668026.exe18⤵
- Executes dropped EXE
PID:1640 -
\??\c:\vdpdp.exec:\vdpdp.exe19⤵
- Executes dropped EXE
PID:2860 -
\??\c:\02440.exec:\02440.exe20⤵
- Executes dropped EXE
PID:2136 -
\??\c:\42046.exec:\42046.exe21⤵
- Executes dropped EXE
PID:1452 -
\??\c:\40840.exec:\40840.exe22⤵
- Executes dropped EXE
PID:924 -
\??\c:\00408.exec:\00408.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\062046.exec:\062046.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:276 -
\??\c:\0006464.exec:\0006464.exe25⤵
- Executes dropped EXE
PID:1720 -
\??\c:\08282.exec:\08282.exe26⤵
- Executes dropped EXE
PID:844 -
\??\c:\i008026.exec:\i008026.exe27⤵
- Executes dropped EXE
PID:908 -
\??\c:\84206.exec:\84206.exe28⤵
- Executes dropped EXE
PID:2624 -
\??\c:\hnbbnn.exec:\hnbbnn.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\4688004.exec:\4688004.exe30⤵
- Executes dropped EXE
PID:2012 -
\??\c:\s6648.exec:\s6648.exe31⤵
- Executes dropped EXE
PID:1232 -
\??\c:\3ttnnn.exec:\3ttnnn.exe32⤵
- Executes dropped EXE
PID:2132 -
\??\c:\hntbbt.exec:\hntbbt.exe33⤵
- Executes dropped EXE
PID:1468 -
\??\c:\c020282.exec:\c020282.exe34⤵
- Executes dropped EXE
PID:1864 -
\??\c:\llxxffl.exec:\llxxffl.exe35⤵
- Executes dropped EXE
PID:1516 -
\??\c:\rrrlxlf.exec:\rrrlxlf.exe36⤵
- Executes dropped EXE
PID:2964 -
\??\c:\48688.exec:\48688.exe37⤵
- Executes dropped EXE
PID:2432 -
\??\c:\flfxlfx.exec:\flfxlfx.exe38⤵
- Executes dropped EXE
PID:3068 -
\??\c:\840844.exec:\840844.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\lxxlxlf.exec:\lxxlxlf.exe40⤵
- Executes dropped EXE
PID:2680 -
\??\c:\048024.exec:\048024.exe41⤵
- Executes dropped EXE
PID:2760 -
\??\c:\q46622.exec:\q46622.exe42⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7rlrrll.exec:\7rlrrll.exe43⤵
- Executes dropped EXE
PID:2852 -
\??\c:\64806.exec:\64806.exe44⤵
- Executes dropped EXE
PID:2784 -
\??\c:\vpjvv.exec:\vpjvv.exe45⤵
- Executes dropped EXE
PID:2440 -
\??\c:\02624.exec:\02624.exe46⤵
- Executes dropped EXE
PID:2308 -
\??\c:\ttnthn.exec:\ttnthn.exe47⤵
- Executes dropped EXE
PID:3024 -
\??\c:\4480840.exec:\4480840.exe48⤵
- Executes dropped EXE
PID:2192 -
\??\c:\i620044.exec:\i620044.exe49⤵
- Executes dropped EXE
PID:1604 -
\??\c:\46884.exec:\46884.exe50⤵
- Executes dropped EXE
PID:2260 -
\??\c:\486082.exec:\486082.exe51⤵
- Executes dropped EXE
PID:324 -
\??\c:\bthbht.exec:\bthbht.exe52⤵
- Executes dropped EXE
PID:1892 -
\??\c:\0862442.exec:\0862442.exe53⤵
- Executes dropped EXE
PID:1268 -
\??\c:\28288.exec:\28288.exe54⤵
- Executes dropped EXE
PID:1572 -
\??\c:\djppd.exec:\djppd.exe55⤵
- Executes dropped EXE
PID:1580 -
\??\c:\20484.exec:\20484.exe56⤵
- Executes dropped EXE
PID:2988 -
\??\c:\882020.exec:\882020.exe57⤵
- Executes dropped EXE
PID:860 -
\??\c:\62026.exec:\62026.exe58⤵
- Executes dropped EXE
PID:1900 -
\??\c:\888040.exec:\888040.exe59⤵
- Executes dropped EXE
PID:2184 -
\??\c:\84800.exec:\84800.exe60⤵
- Executes dropped EXE
PID:2400 -
\??\c:\hhttbb.exec:\hhttbb.exe61⤵
- Executes dropped EXE
PID:972 -
\??\c:\fflxlfx.exec:\fflxlfx.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
\??\c:\2444684.exec:\2444684.exe63⤵
- Executes dropped EXE
PID:1100 -
\??\c:\6226084.exec:\6226084.exe64⤵
- Executes dropped EXE
PID:1524 -
\??\c:\22800.exec:\22800.exe65⤵
- Executes dropped EXE
PID:448 -
\??\c:\htntbn.exec:\htntbn.exe66⤵PID:1920
-
\??\c:\0888688.exec:\0888688.exe67⤵PID:968
-
\??\c:\00802.exec:\00802.exe68⤵PID:904
-
\??\c:\ttnthn.exec:\ttnthn.exe69⤵PID:2144
-
\??\c:\lxxllfr.exec:\lxxllfr.exe70⤵PID:780
-
\??\c:\rrlxfxx.exec:\rrlxfxx.exe71⤵PID:2904
-
\??\c:\0228440.exec:\0228440.exe72⤵PID:1232
-
\??\c:\tbhhtt.exec:\tbhhtt.exe73⤵PID:1316
-
\??\c:\42884.exec:\42884.exe74⤵PID:1500
-
\??\c:\nnhhnb.exec:\nnhhnb.exe75⤵PID:1544
-
\??\c:\xxxrrff.exec:\xxxrrff.exe76⤵PID:2080
-
\??\c:\8002860.exec:\8002860.exe77⤵PID:1516
-
\??\c:\9rfxfrf.exec:\9rfxfrf.exe78⤵PID:2964
-
\??\c:\vdjvv.exec:\vdjvv.exe79⤵PID:2888
-
\??\c:\64088.exec:\64088.exe80⤵PID:2668
-
\??\c:\bnhbbt.exec:\bnhbbt.exe81⤵PID:2748
-
\??\c:\tbbnbb.exec:\tbbnbb.exe82⤵PID:2680
-
\??\c:\jddpd.exec:\jddpd.exe83⤵PID:2760
-
\??\c:\lxrxffr.exec:\lxrxffr.exe84⤵PID:2896
-
\??\c:\xfrrlxl.exec:\xfrrlxl.exe85⤵PID:2788
-
\??\c:\662028.exec:\662028.exe86⤵PID:2784
-
\??\c:\4026206.exec:\4026206.exe87⤵PID:3008
-
\??\c:\842422.exec:\842422.exe88⤵PID:2532
-
\??\c:\1xxlfrr.exec:\1xxlfrr.exe89⤵PID:2004
-
\??\c:\080444.exec:\080444.exe90⤵PID:2544
-
\??\c:\ffrxlxl.exec:\ffrxlxl.exe91⤵PID:2084
-
\??\c:\rrrrffr.exec:\rrrrffr.exe92⤵PID:1368
-
\??\c:\8404428.exec:\8404428.exe93⤵PID:1204
-
\??\c:\hnhttb.exec:\hnhttb.exe94⤵PID:1852
-
\??\c:\bbthth.exec:\bbthth.exe95⤵PID:1796
-
\??\c:\9jdjd.exec:\9jdjd.exe96⤵PID:2820
-
\??\c:\208028.exec:\208028.exe97⤵PID:2876
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe98⤵PID:2424
-
\??\c:\6406888.exec:\6406888.exe99⤵PID:1116
-
\??\c:\00460.exec:\00460.exe100⤵PID:2512
-
\??\c:\tbnntn.exec:\tbnntn.exe101⤵PID:2956
-
\??\c:\xxrxflx.exec:\xxrxflx.exe102⤵PID:2032
-
\??\c:\5nnntn.exec:\5nnntn.exe103⤵PID:1436
-
\??\c:\1pjvd.exec:\1pjvd.exe104⤵PID:1668
-
\??\c:\428268.exec:\428268.exe105⤵PID:1708
-
\??\c:\vjpdv.exec:\vjpdv.exe106⤵PID:1100
-
\??\c:\xxfxrfx.exec:\xxfxrfx.exe107⤵PID:1524
-
\??\c:\480442.exec:\480442.exe108⤵PID:1760
-
\??\c:\m4688.exec:\m4688.exe109⤵PID:1920
-
\??\c:\u004226.exec:\u004226.exe110⤵PID:1800
-
\??\c:\062868.exec:\062868.exe111⤵PID:2188
-
\??\c:\44442.exec:\44442.exe112⤵PID:696
-
\??\c:\k42228.exec:\k42228.exe113⤵PID:1576
-
\??\c:\lxllrlf.exec:\lxllrlf.exe114⤵PID:1396
-
\??\c:\thtttt.exec:\thtttt.exe115⤵PID:896
-
\??\c:\7hhhnn.exec:\7hhhnn.exe116⤵PID:784
-
\??\c:\lffrflx.exec:\lffrflx.exe117⤵PID:1548
-
\??\c:\k68008.exec:\k68008.exe118⤵PID:1864
-
\??\c:\ppdpd.exec:\ppdpd.exe119⤵PID:1540
-
\??\c:\402244.exec:\402244.exe120⤵PID:2996
-
\??\c:\hhnhtt.exec:\hhnhtt.exe121⤵PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-